Blocking of WMF

Randal, Phil prandal at
Tue Mar 17 12:33:44 GMT 2009

Should be OK (until next WMF vulnerability is discovered) if you have
MS09-006 applied.



Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: prandal at

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

-----Original Message-----
From: mailscanner-bounces at
[mailto:mailscanner-bounces at] On Behalf Of Jethro
R Binks
Sent: 17 March 2009 12:18
To: mailscanner at
Subject: Blocking of WMF

For a long time we've had the following rule enabled:

# JKF 01/01/2006 Another Microsoft security vulnerability
deny    \.wmf$          Windows Metafile security vulnerability
                        Possible format attack in Windows

More and more we are finding that .WMFs are being discovered in the
zipfile that MS Office 2007 documents are composed of.  This MS kb
article alludes to one particular issue relating to "thumbnail.wmf"

but we very often see "image1.wmf", "image2.wmf", etc discovered too.

Very often, the sending user is completely oblivious to the presence of
images in the document (zip file), nor what to do to remove them or save
them as something else, and at least in the case of the "thumbnail.wmf" 
content, this is something that the application itself has generated
without the user knowing about it.

So my question is twofold:

1. do other sites have this issue and what do they do about it;

2. is blocking of .WMF justified these days, given that patches for the
potential vulnerability have been available for many years now.  Is it
still being actively exploited?

Thoughts welcome,


.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
MailScanner mailing list
mailscanner at

Before posting, read

Support MailScanner development - buy the book off the website! 

More information about the MailScanner mailing list